Gang Surrenders Key to TeslaCrypt Ransomware Kingdom

By John P. Mello Jr.
May 20, 2016 3:06 PM PT

Eset on Wednesday announced that it has fashioned a free tool that victims of all variants of the TeslaCrypt ransomware can use to unlock affected files.

After the criminal gang behind TeslaCrypt recently abandoned support of the malicious software, an Eset analyst contacted the group anonymously, using the channel TeslaCrypt's operators offered to ransomware victims, and asked for the universal master decryption key, the company said.

To Eset's surprise, the operators made it public.

Why So Generous?

Why the TeslaCrypt posse decided to share the master decryption key to software that's made millions of dollars is unknown.

"While it is possible that they felt bad for the damage done, another possible reason is that they wanted to start fresh with a new codebase," said Lysa Myers, a security researcher with Eset.

After being in the ransomware racket for a while, the crew may have discovered that maintaining good software of any kind can be challenging. "Sometimes updates to an existing product can make things more error-prone, which makes it harder to make money," she told TechNewsWorld.

"Ending an old project can allow for a clean slate from which to start again," Myers added.

While the TeslaCrypt operators' move is surprising, it's unlikely they're getting out of the ransomware business, said Rahul Kashyap, chief security architect with
Bromium.

"They may want to change their payment scheme or try out a different business model," he told TechNewsWorld. "It's unlikely that they're deserting the ransomware business."

Good Business Practice

If the TeslaCrypt crew does indeed want to remain in the ransomware business, then releasing the master decryption key to the software could be a strategic move, noted Mark Nunnikhoven, vice president of cloud research at Trend Micro.

"While it may seem like the right thing to do, there's a profit motivation even in this," he told TechNewsWorld.

"Ransomware criminals rely on their reputation of actually releasing the data in order to entice victims to pay," Nunnikhoven said. "If the gang behind TeslaCrypt left victims high and dry, any new campaigns they are associated with would be less likely to be profitable due to their previous reputation."

Fear of law enforcement is another possible reason for releasing the master key, surmised Brad Cyprus, chief of security and compliance at
Netsurion.

"The group may be concerned that if they continue to develop the code, it is only a matter of time before law enforcement catches them," he told TechNewsWorld.

"By turning in the decryption key," Cyprus continued, "they're hoping to fall lower on law enforcement's radar while other malware and ransomware projects will garner more attention, leaving the makers of TeslaCrypt to spend their ill-gotten gains."

Ransomware on Decline

How much might those ill-gotten gains be?

Since ransomware gangs don't file reports with the SEC, any numbers associated with ransomware are slippery at best, but TeslaCrypt had about 10 percent of a market that reaps US$700 million to $800 million annually, Vishal Gupta, CEO of
Seclore, estimated.

"Eighty million dollars is the size of a large startup company," he told TechNewsWorld.

TeslaCrypt was a laggard among ransomware programs, Trend Micro's Nunnikhoven said. "TeslaCrypt has never been among the top earners for ransomware since it first appearance about a year ago."

"While still devastating to its victims, it never showed signs of the wild profitability we've seen with Cryptolocker or Locky," he said.

Use of TeslaCrypt has been on the decline in recent weeks, said Daniel Korsunsky, director of product strategy at
Comodo.

"Currently, it's unclear if the former TeslaCrypt engineers have abandoned the extortion business altogether or simply moved on to another strain of malicious software," he told TechNewsWorld.

"The latter is extremely likely," Korsunsky added, "especially given that TeslaCrypt was starting to crumble under the weight of a multitude of decryptors that were making it less effective when used."

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on
Google+.